Skip to content
/ less-is-moar-union_only-perms-model Public

Implementing selective subtraction of perms via addition of inverse permissions in the ES Security model

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lloydmeta/less-is-moar-union_only-perms-model

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.scalafmt.conf
.scalafmt.conf
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
poc.sc
poc.sc
 
 

Repository files navigation

Subtraction via addition in an additive only perms model

An exploration in how to express "allow all except for these" perms when the authorisation backend is the ES Security model, which is unions-only.

This "subtracting-via-adding" could be applied in other similarly-constrained-and-not-uncommon backends, but this repo holds a demo that only interfaces with ES and its Security model.

Basic premise

  • If we make the result of each action permission check for an actor and object a vector (magnitude with direction): that is: 0, 1 or -1, we can “subtract by adding”.
  • If we only have booleans (1 or 0), assuming that there is a can_do function that returns 0 if the "current" actor does not have permission to perform action0 on the input object, and 1 otherwise, and it can also do so for an "inverse" action, let's say action0-1 if the input actor has been explicitly disallowed from doing action0 on the input object.
$$\begin{align*} {authorised\_total_{actor}}(action_{0..n}, object) &= \sum_{a=0}^{n}(can\_do_{actor}(action_0, object)\text{ } + \\&\text{ }(-1 \cdot can\_do_{actor}(action_0^{-1}, object)))\\\\\ {authorised}_{actor}(action_{0..n}, object) &= \begin{cases} 1 & \text{if } {authorised\_total_{actor}}(action_{0..n}, object) = n \\\ 0 & \text{otherwise.} \end{cases} \end{align*}$$

There is probably a way to express the above in terms of multiplication, but addition feels more straightforward a mapping..

The isAuthorised function in poc.sc demonstrates an implementation of the above building on

Running the PoC

Requires

Running

  1. make start-es to bring up ES, wait until it's up before proceeding.

    ✅ Elasticsearch security features have been automatically configured! should show up

  2. make repl in a separate terminal to load up a REPL with the PoC functions loaded in and tested.

  3. Test it out

    1. Assert that the Support user has blanket permissions to deployment:edit a given deployment

      val deplIdToTest = generateRandStr()
isAuthorised(supportEsUser, deplIdToTest -> "deployment:edit")
// res1: Boolean = true

    2. Subtract the deployment from the user's allowed set by adding it to the inverse support role

      putEsRole(
  inverse(supportAppPrivName),
  Seq(deplIdToTest)
)()

    3. Test the access to that deployment again:

      isAuthorised(supportEsUser, deplIdToTest -> "deployment:edit")
// res3: Boolean = false

    4. Remove it by emptying the inverse support resource list

      putEsRole(
  inverse(supportAppPrivName),
  Seq.empty
)()

    5. Test the access to that deployment again:

      isAuthorised(supportEsUser, deplIdToTest -> "deployment:edit")
// res3: Boolean = true

  4. Exit the REPL with ctrl+d then ctrl+c

  5. make stop-es to stop and cleanup ES

About

Implementing selective subtraction of perms via addition of inverse permissions in the ES Security model

Topics

security elasticsearch proof-of-concept poc union authorisation authz

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages